Principles of Information

Security,
Fourth Edition
Chapter 8
Using Encryption
 Learning Objectives

• Upon completion of this material, you should be

able to:
– Chronicle the most significant events and
discoveries in the history of cryptology
– Explain the basic principles of cryptography
– Describe the operating principles of the most popular
cryptographic tools
– List and explicate the major protocols used for
secure communications
– Discuss the nature and execution of the dominant
methods of attack used against cryptosystems
Principles of Information Security, Fourth Edition 2
 Introduction

• Cryptology: science of encryption; combines

cryptography and cryptanalysis
• Cryptography: process of making and using codes
to secure transmission of information
• Cryptanalysis: process of obtaining original
message from encrypted message without knowing
algorithms
• Encryption: converting original message into a form
unreadable by unauthorized individuals
• Decryption: the process of converting the ciphertext
message back into plaintext
Principles of Information Security, Fourth Edition 3
 Foundations of Cryptology

• Cryptology has a long and multicultural history

• With emergence of technology, need for encryption
in information technology environment greatly
increased
• All popular Web browsers use built-in encryption
features for secure e-commerce applications

Principles of Information Security, Fourth Edition 4

 Cipher Methods

• Plaintext can be encrypted through bit stream or

block cipher method
• Bit stream: each plaintext bit transformed into
cipher bit one bit at a time
• Block cipher: message divided into blocks (e.g.,
sets of 8- or 16-bit blocks) and each is transformed
into encrypted block of cipher bits using algorithm
and key

Principles of Information Security, Fourth Edition 5

 Cryptographic Algorithms

• Often grouped into two broad categories,

symmetric and asymmetric
– Today’s popular cryptosystems use hybrid
combination of symmetric and asymmetric
algorithms
• Symmetric and asymmetric algorithms
distinguished by types of keys used for encryption
and decryption operations

Principles of Information Security, Fourth Edition 6

 Symmetric Encryption

• Uses same “secret key” to encipher and decipher

message
– Encryption methods can be extremely efficient,
requiring minimal processing
– Both sender and receiver must possess encryption
key
– If either copy of key is compromised, an intermediate
can decrypt and read messages

Principles of Information Security, Fourth Edition 7

 Figure 8-5 Example of Symmetric Encryption

Principles of Information Security, Fourth Edition 8

 Substitution Cipher

• Substitute one value for another

• Monoalphabetic substitution: uses only one
alphabet
• Polyalphabetic substitution: more advanced; uses
two or more alphabets
• Vigenère cipher: advanced cipher type that uses
simple polyalphabetic code; made up of 26 distinct
cipher alphabets

Principles of Information Security, Fourth Edition 9

Symmetric Cryptography
 Symmetric Encryption

I love you → 143 ------------------- 143 → I LOVE YOU

Symmetric Encryption
Block verses
Stream
Ciphers
Requirements
 Shift Cipher
• Each letter we identify with a number
• A=0
• B=1
• C=2
• ...
• Z = 25
• The key k is a number in the range 0 − 25
• Encryption is add k onto each letter modulo 26.
• Use the key k = 3.
• HELLO becomes
• KHOOR
ROT-13 cipher (2)
 Caesar cipher

• Earliest known substitution cipher and first attested

use in military affairs
• The Roman emperor Julius Caesar used to
substitute each letter in his diplomatic
communications with the letter that was three letters
further along in the alphabet.
• Replaces each letter by 3rd letter on
• p : ABCDEFGHIJKLMNOPQRSTUVWXYZ
• F(p) : DEFGHIJKLMNOPQRSTUVWXYZABC
 Caesar cipher (2)

• Example:
• Plaintext : ET TU BRUTUS
• Ciphertext : HW WX EUXWXV
 Caesar cipher (3)
• Can define transformation as:
abcdefghijklmnopqrstuvwxyz
DEFGHIJKLMNOPQRSTUVWXYZAB
C
• Mathematically give each letter a number
abcdefghijklmnopqrstuvwxyz
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
21 22 23 24 25
• Then have Caesar cipher as:
c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)
Caesar cipher (4)
 Table 8-2 The Vigenère Square
Principles of Information Security, Fourth Edition 21
 Transposition Cipher

• Easy to understand, but if properly used, produces

ciphertext that is difficult to decipher
• Rearranges values within a block to create
ciphertext
• Can be done at the bit level or at the byte
(character) level
• To make the encryption even stronger, the keys
and block sizes can be made much larger

Principles of Information Security, Fourth Edition 22

 Railfence cipher

• A transposition cipher rearranges the plaintext letters according to a

secret transformation defined by the key.
• The simplest example of this is the railfence cipher, in which the
plaintext is written in rows of n letter blocks (the number of columns n is
the key) and then the ciphertext is read in columns

• Example:
• Plaintext: TRANSPOSITIONCIPHERX
• In this example, the key is: 5
• Re-write as rows of 5-letter blocks:
• TRANS
• POSIT
• IONCI
• PHERX
• Ciphertext: TPIPROOHASNENICRSTIX
 Transposition cipher

• Problems with the railfence cipher:

– The first and last letters of the plaintext do not move
– The key is a number that divides the total message length
• In a single columnar transposition cipher, the key is a word or phrase whose
letters, in alphabetic order, indicate the order of the columns as they are read

• Example:
• Plaintext: TRANSPOSITIONCIPHER
• Key is “SECRET”, so re-write as rows of 6-letter blocks:
• SECRET CEERST
• 521436 123456
• TRANSP ARSNTP
• OSITIO ISITOO
• NCIPHE ICHPNE
• R R
• Ciphertext: AII$RSC$SIH$NTP$TONRPOE$
 Exclusive OR (XOR)

• Function of Boolean algebra; two bits are

compared
– If two bits are identical, result is binary 0
– If two bits not identical, result is binary 1
• A very simple symmetric cipher that is used in
many applications where security is not a defined
requirement

Principles of Information Security, Fourth Edition 25

 Table 8-3 XOR Truth Table

Principles of Information Security, Fourth Edition 26

 Polyalphabetic Ciphers

• Another approach to improving security is to use

multiple cipher alphabets called polyalphabetic
substitution ciphers

• Makes cryptanalysis harder with more alphabets to

guess and flatter frequency distribution

• Use a key to select which alphabet is used for each

letter of the message, use each alphabet in turn and
repeat from start after end of key is reached
 Vigènere cipher

• The Vigènere cipher is a polyalphabetic substitution cipher

• A secret word or phrase, representing the key, is agreed by
the sender and receiver

• Each letter of the key is used to encrypt a plaintext letter

using the Caesar cipher; each key letter represents the
“shift” amount (i.e., A=0, B=1, …, Z=25).

• After the final key letter is used to encrypt a plaintext letter,

the first key letter is used (again) to encrypt the next plaintext
letter, and the cipher continues like this; this type of cipher is
called repeated key.
Vigènere tableau
 Vigènere Tableau

• If n is the length of the

• key, then:
• Ci = Pi + Ki (mod n) mod 26
• Example:
• Plaintext letter: T
• Key letter: N
• T = 19, N = 13
• C = 19 + 13 = 32 = 6 (mod 26)
• Ciphertext letter: G
 Example: Vigènere cipher

• Plaintext: THEBOYHASTHETHEORYHE…

• Key: NUSTNUSTNUSTNUSTNUST…

• Ciphertext: GBWUBSZTFNZXGBWHESZX…
 Example: Vigènere cipher

• Plaintext: NETWORKSECURITY

• Key: KHUKHUKHUKHUKHU

• Ciphertext: ???
 Security of Vigenère Ciphers

• This will have multiple ciphertext letters for each

plaintext letter, hence letter frequencies are
obscured
• But not totally lost
• Start with letter frequencies
– See if look monoalphabetic or not
• If not, then need to determine number of
alphabets
 Book or Running Key Cipher

• Uses text in book as key to decrypt a message

• Ciphertext contains codes representing page, line,
and word numbers
• Algorithm is the mechanical process of:
– Looking up the references from the ciphertext
– Converting each reference to a word by using the
ciphertext’s value and the key
• Typical sources are dictionaries and thesauruses

Principles of Information Security, Fourth Edition 35

 Figure 8-4 Various Hash Values
Principles of Information Security, Fourth Edition 36
 Hash Functions

• Mathematical algorithms that generate message

summary/digest to confirm message identity and
confirm no content has changed
• Hash algorithms: publicly known functions that
create hash value
• Use of keys not required
– Message authentication code (MAC), however, may
be attached to a message
• Used in password verification systems to confirm
identity of user

Principles of Information Security, Fourth Edition 37

 Message Authentication
• protects against active attacks
• verifies received message is authentic
– contents unaltered
– from authentic source
– timely and in correct sequence
• can use conventional encryption
– only sender & receiver have key needed
• or separate authentication mechanisms
– append authentication tag to cleartext message
Message Authentication Codes
Secure Hash Functions
Message
Auth
 Hash Function Requirements
• applied to any size data
• H produces a fixed-length output.
• H(x) is relatively easy to compute for any given x
• one-way property
– computationally infeasible to find x such that H(x) = h
• weak collision resistance
– computationally infeasible to find y ≠ x such that
H(y) = H(x)
• strong collision resistance
– computationally infeasible to find any pair (x, y) such
that H(x) = H(y)
 Hash Functions
• two attack approaches
– cryptanalysis
• exploit logical weakness in alg
– brute-force attack
• trial many inputs
• strength proportional to size of hash code (2n/2)
• SHA most widely used hash algorithm
– SHA-1 gives 160-bit hash
– more recent SHA-256, SHA-384, SHA-512 provide
improved size and security
 Symmetric Encryption (cont’d.)

• Data Encryption Standard (DES): one of most

popular symmetric encryption cryptosystems
– 64-bit block size; 56-bit key
– Adopted by NIST in 1976 as federal standard for
encrypting non-classified information
• Triple DES (3DES): created to provide security far
beyond DES
• Advanced Encryption Standard (AES): developed
to replace both DES and 3DES

Principles of Information Security, Fourth Edition 44

 Asymmetric Encryption

• Also known as public-key encryption

• Uses two different but related keys
– Either key can encrypt or decrypt message
– If Key A encrypts message, only Key B can decrypt
– Highest value when one key serves as private key
and the other serves as public key
• RSA algorithm

Principles of Information Security, Fourth Edition 45

 Figure 8-6 Example of Asymmetric Encryption
Principles of Information Security, Fourth Edition 46
 Encryption Key Size

• When using ciphers, size of cryptovariable or key is

very important
• Strength of many encryption applications and
cryptosystems measured by key size
• For cryptosystems, security of encrypted data is
not dependent on keeping encrypting algorithm
secret
• Cryptosystem security depends on keeping some
or all of elements of cryptovariable(s) or key(s)
secret

Principles of Information Security, Fourth Edition 47

 Table 8-7 Encryption Key Power
Principles of Information Security, Fourth Edition 48
 Cryptographic Tools

• Potential areas of use include:

– Ability to conceal the contents of sensitive messages
– Verify the contents of messages and the identities of
their senders
• Tools must embody cryptographic capabilities so
that they can be applied to the everyday world of
computing

Principles of Information Security, Fourth Edition 49

 Public-Key Infrastructure (PKI)
• Integrated system of software, encryption
methodologies, protocols, legal agreements, and
third-party services enabling users to communicate
securely
• PKI systems based on public-key cryptosystems
• PKI protects information assets in several ways:
– Authentication
– Integrity
– Privacy
– Authorization
– Nonrepudiation
Principles of Information Security, Fourth Edition 50
 Public-Key Infrastructure (PKI)
(cont’d.)
• Typical PKI solution protects the transmission and
reception of secure information by integrating:
– A certificate authority (CA)
– A registration authority (RA)
– Certificate directories
– Management protocols
– Policies and procedures

Principles of Information Security, Fourth Edition 51

 Digital Signatures

• Created in response to rising need to verify

information transferred using electronic systems
• Asymmetric encryption processes used to create
digital signatures
• Nonrepudiation: the process that verifies the
message was sent by the sender and thus cannot
be refuted
• Digital Signature Standard (DSS)

Principles of Information Security, Fourth Edition 52

 Digital Certificates

• Electronic document containing key value and

identifying information about entity that controls key
• Digital signature attached to certificate’s container
file to certify file is from entity it claims to be from
• Different client-server applications use different
types of digital certificates to accomplish their
assigned functions
• Distinguished name (DN): uniquely identifies a
certificate entity

Principles of Information Security, Fourth Edition 53

 Figure 8-8 Digital Certificate

Principles of Information Security, Fourth Edition 54

 Table 8-8 X.509 v3 Certificate Structure11

Principles of Information Security, Fourth Edition 55

 Hybrid Cryptography Systems

• Except with digital certificates, pure asymmetric key

encryption not widely used
• Asymmetric encryption more often used with
symmetric key encryption, creating hybrid system
• Diffie-Hellman Key Exchange method:
– Most common hybrid system
– Provided foundation for subsequent developments in
public-key encryption

Principles of Information Security, Fourth Edition 56

 Figure 8-9 Example of Hybrid Encryption
Principles of Information Security, Fourth Edition 57
 Steganography

• Process of hiding information

• Has been in use for a long time
• Most popular modern version hides information
within files appearing to contain digital pictures or
other images
• Some applications hide messages in .bmp, .wav,
.mp3, and .au files, as well as in unused space on
CDs and DVDs

Principles of Information Security, Fourth Edition 58

 Protocols for Secure Communications

• Much of the software currently used to protect the

confidentiality of information are not true
cryptosystems
• They are applications to which cryptographic
protocols have been added
• Particularly true of Internet protocols
• As the number of threats to the Internet grew, so
did the need for additional security measures

Principles of Information Security, Fourth Edition 59

 Securing Internet Communication with
S-HTTP and SSL
• Secure Socket Layer (SSL) protocol: uses public
key encryption to secure channel over public
Internet
• Secure Hypertext Transfer Protocol (S-HTTP):
extended version of Hypertext Transfer Protocol;
provides for encryption of individual messages
between client and server across Internet
• S-HTTP is the application of SSL over HTTP
– Allows encryption of information passing between
computers through protected and secure virtual
connection
Principles of Information Security, Fourth Edition 60
 Securing e-mail with S/MIME, PEM,
and PGP
• Secure Multipurpose Internet Mail Extensions
(S/MIME): builds on Multipurpose Internet Mail
Extensions (MIME) encoding format by adding
encryption and authentication
• Privacy Enhanced Mail (PEM): proposed as
standard to function with public-key cryptosystems;
uses 3DES symmetric key encryption
• Pretty Good Privacy (PGP): uses IDEA Cipher for
message encoding

Principles of Information Security, Fourth Edition 61

 Securing Web transactions with SET,
SSL, and S-HTTP
• Secure Electronic Transactions (SET): developed
by MasterCard and VISA in 1997 to provide
protection from electronic payment fraud
• Uses DES to encrypt credit card information
transfers
• Provides security for both Internet-based credit
card transactions and credit card swipe systems in
retail stores

Principles of Information Security, Fourth Edition 62

Securing Wireless Networks with WEP
and WPA
• Wired Equivalent Privacy (WEP): early attempt to
provide security with the 8002.11 network protocol
• Wi-Fi Protected Access (WPA and WPA2): created
to resolve issues with WEP
• Next Generation Wireless Protocols: Robust
Secure Networks (RSN), AES – Counter Mode
Encapsulation, AES – Offset Codebook
Encapsulation
• Bluetooth: can be exploited by anyone within
approximately 30 foot range, unless suitable
security controls are implemented
Principles of Information Security, Fourth Edition 63
 Protocols for Secure Communications
(continued)
• Securing TCP/IP with IPSec
– Internet Protocol Security (IPSec): open source
protocol to secure communications across any IP-
based network
– IPSec designed to protect data integrity, user
confidentiality, and authenticity at IP packet level
– IPSec combines several different cryptosystems:
Diffie-Hellman; public key cryptography; bulk
encryption algorithms; digital certificates
– In IPSec, IP layer security obtained by use of
application header (AH) protocol or encapsulating
security payload (ESP) protocol
Principles of Information Security, Fourth Edition 64
 Securing TCP/IP with IPSec and PGP

• Internet Protocol Security (IPSec): an open-source

protocol framework for security development within
the TCP/IP family of protocol standards
• IPSec uses several different cryptosystems
– Diffie-Hellman key exchange for deriving key
material between peers on a public network
– Public key cryptography for signing the Diffie-
Hellman exchanges to guarantees identity
– Bulk encryption algorithms for encrypting the data
– Digital certificates signed by a certificate authority to
act as digital ID cards
Principles of Information Security, Fourth Edition 65
 Figure 8-10 IPSec Headers
Principles of Information Security, Fourth Edition 66
 Securing TCP/IP with IPSec and PGP
(cont’d.)
• Pretty Good Privacy (PGP): hybrid cryptosystem
designed in 1991 by Phil Zimmermann
– Combined best available cryptographic algorithms to
become open source de facto standard for
encryption and authentication of e-mail and file
storage applications
– Freeware and low-cost commercial PGP versions
are available for many platforms
– PGP security solution provides six services:
authentication by digital signatures; message
encryption; compression; e-mail compatibility;
segmentation; key management
Principles of Information Security, Fourth Edition 67
 Table 8-12 PGP Functions24

Principles of Information Security, Fourth Edition 68

 Attacks on Cryptosystems

• Attempts to gain unauthorized access to secure

communications have used brute force attacks
(ciphertext attacks)
• Attacker may alternatively conduct known-plaintext
attack or selected-plaintext attach schemes

Principles of Information Security, Fourth Edition 69

 Man-in-the-Middle Attack

• Designed to intercept transmission of public key or

insert known key structure in place of requested
public key
• From victim’s perspective, encrypted
communication appears to be occurring normally,
but in fact, attacker receives each encrypted
message, decodes, encrypts, and sends to
originally intended recipient
• Establishment of public keys with digital signatures
can prevent traditional man-in-the-middle attack

Principles of Information Security, Fourth Edition 70

 Correlation Attacks

• Collection of brute-force methods that attempt to

deduce statistical relationships between structure
of unknown key and ciphertext
• Differential and linear cryptanalysis have been
used to mount successful attacks
• Only defense is selection of strong cryptosystems,
thorough key management, and strict adherence to
best practices of cryptography in frequency of
changing keys

Principles of Information Security, Fourth Edition 71

 Dictionary Attacks

• Attacker encrypts every word in a dictionary using

same cryptosystem used by target
• Dictionary attacks can be successful when the
ciphertext consists of relatively few characters
(e.g., usernames, passwords)

Principles of Information Security, Fourth Edition 72

 Timing Attacks

• Attacker eavesdrops during victim’s session

– Uses statistical analysis of user’s typing patterns and
inter-keystroke timings to discern sensitive session
information
• Can be used to gain information about encryption
key and possibly cryptosystem in use
• Once encryption successfully broken, attacker may
launch a replay attack (an attempt to resubmit
recording of deciphered authentication to gain entry
into secure source)

Principles of Information Security, Fourth Edition 73

 Defending Against Attacks

• No matter how sophisticated encryption and

cryptosystems have become, if key is discovered,
message can be determined
• Key management is not so much management of
technology but rather management of people

Principles of Information Security, Fourth Edition 74

 Summary

• Cryptography and encryption provide sophisticated

approach to security
– Many security-related tools use embedded
encryption technologies
– Encryption converts a message into a form that is
unreadable by the unauthorized
• Many tools are available and can be classified as
symmetric or asymmetric, each having advantages
and special capabilities

Principles of Information Security, Fourth Edition 75

 Summary (cont’d.)

• Strength of encryption tool is dependent on key

size but even more dependent on following good
management practices
• Cryptography is used to secure most aspects of
Internet and Web uses that require it, drawing on
extensive set of protocols and tools designed for
that purpose
• Cryptosystems are subject to attack in many ways

Principles of Information Security, Fourth Edition 76